In 2020 we globally face over 22 billion connected IoT devices of which 54% are non-consumer devices. The recent pace of growth and development in embedded and IoT technologies has led to impressive new devices and services. This came along with new challenges, too. One of the main challenges is to ensure device security and reliability of services that they deliver.
At emteria, we argue in favor of managed open-source based platforms. Given a rich toolset and strong mobile device management capabilities they ensure rapid and secure update delivery to customer devices.
Major flaws and the 2018 casino example
The recent exposure of 33 major flaws by security expert Forescout is alarming to everyone dedicated to building and maintaining embedded products. Even more alarming is that according to a recent report of Wired “in many cases it wouldn’t actually be feasible for device makers themselves to push patches even if they wanted to or could”.
As a recommended action “IT administrators should patch as many devices as possible as often as possible, knowing the scope of devices connected to a given network”. For this to succeed, patches need to be built and a sound device management solution needs to be in place.
The affected devices are manifold: Surveillance cameras, smart home infrastructure, smart lighting are examples in the private space. In the business space, there is even more potential for harmful misuse. For example, sales terminals, industrial printers, or medical devices are potential gateways into critical enterprise networks. Malicious manipulation of devices and services is possible through those kinds of devices.
One out of countless examples is the 2018 hack of a Las Vegas casino. In this case, a smart thermostat in a tropical aquarium in the casino was used by the cyber attackers. They gained an access point to breach into internal databases and to download sensitive data of high rollers.
The threat arising from such vulnerabilities is tremendous and ranges from indirect effects such as data loss for exploitation on the black market to direct business impacts through manipulation of devices, for example in manufacturing solutions.
Three ways to ensure device security
One major obstacle to ensure the security and reliability of devices is the ability to monitor a fleet of devices and deliver security updates. In general, the realization is possible in three ways:
- Through in-house built proprietary solutions
- Using open-source software
- Relying on managed third-party products and services
Each option offers advantages and disadvantages. With increasing attention to security and user experience, the balance starts to shift.
Proprietary solutions may bear the putative perception of control over one’s solution, usually at the expense of significantly higher cost. More importantly, vulnerabilities are potentially undetected for longer time frames and updates need to be addressed and delivered through custom made channels. Besides, proprietary solutions will always carry the risk of a “security through obscurity” claim. This is due to a lack of transparency to customers and users.
Open-source solutions, like the Linux community which dominates the IoT application space traditionally, have strong advantages compared to proprietary solutions. They recognize vulnerabilities fast and address them quickly. However, the user is responsible to build and integrate the update into his product and deliver it to his customers. This requires specific domain expertise, skillset, and infrastructure which, in turn, needs to be hosted and managed – securely. The associated cost is substantial and will be eventually carried by the customers.
Managed solutions address this operational and technological challenge of Open-source solutions. They combine the advantages of both worlds: Quick community addressed detection and correction of vulnerabilities on one hand. On the other hand a reliable and rapid delivery of security updates to customer devices on the other hand. The most successful and prominent solution to date is certainly Android which has revolutionized user experience in the consumer electronics space over the last decade and is ready for industrial applications. It is worth noting that in contrast to Android’s deployment in consumer devices, the lifetime of industrial devices is longer and with this, there is a stronger incentive to deliver updates.
emteria’s approach to device security
emteria is proud to contribute to the highest security level for our customers with its Android-based approach. The approach includes regular security update delivery and native mobile device management capabilities. emteria invests in the detection of common vulnerabilities and exposures. After that, patches are delivered via OTA (over-the-air) platform updates. As a result, IT administrators and device fleet operators ensure the protection of their network and fleet. Applying updates through mobile device management is possible in just a few clicks. emteria.OS is currently available for several popular platforms. The portfolio of supported hardware platforms grows constantly.
#embedded #iot #iiot #cybersecurity #Amnesia33 #vulnerabilities #emteria #embeddedsoftware